<meta charset="utf-8">
(#) Misuse of Sign in with Google API

!!! WARNING: Misuse of Sign in with Google API
   This is a warning.

Id
:   `CredentialManagerSignInWithGoogle`
Summary
:   Misuse of Sign in with Google API
Severity
:   Warning
Category
:   Correctness
Platform
:   Android
Vendor
:   Android Open Source Project
Feedback
:   https://issuetracker.google.com/issues/new?component=192708
Since
:   8.7.0 (October 2024)
Affects
:   Kotlin and Java files
Editing
:   This check can *not* run live in the IDE editor
See
:   https://developer.android.com/identity/sign-in/credential-manager-siwg#create-sign
Implementation
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/CredentialManagerSignInWithGoogleDetector.kt)
Tests
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/CredentialManagerSignInWithGoogleDetectorTest.kt)

When using `:googleid` classes like `GetGoogleIdOption` and
`GetSignInWithGoogleOption`, you typically must handle the response
using `GoogleIdTokenCredential.TYPE_GOOGLE_ID_TOKEN_CREDENTIAL` or
`GoogleIdTokenCredential.TYPE_GOOGLE_ID_TOKEN_SIWG_CREDENTIAL`.

This check reports all uses of these `:googleid` classes if there are no
references to `GoogleIdTokenCredential`.

(##) Example

Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
src/com/example/app/Foo.kt:9:Warning: Use of :googleid classes without
use of GoogleIdTokenCredential [CredentialManagerSignInWithGoogle]
    val googleIdOption = GetGoogleIdOption.Builder().build()
                         -----------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is the source file referenced above:

`src/com/example/app/Foo.kt`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~kotlin linenumbers
package com.example.app

import androidx.credentials.GetCredentialResponse
import androidx.credentials.PublicKeyCredential
import com.google.android.libraries.identity.googleid.GetGoogleIdOption

class Foo {
    fun foo() {
        val googleIdOption = GetGoogleIdOption.Builder().build()
    }

    fun handleSignIn(result: GetCredentialResponse) {
        when (val credential = result.credential) {
            is PublicKeyCredential -> {
                bar()
            }
            else -> {}
        }
    }

    fun bar() { TODO() }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can also visit the
[source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/CredentialManagerSignInWithGoogleDetectorTest.kt)
for the unit tests for this check to see additional scenarios.

(##) Suppressing

You can suppress false positives using one of the following mechanisms:

* Using a special `lint.xml` file in the source tree which turns off
  the check in that folder and any sub folder. A simple file might look
  like this:
  ```xml
  &lt;?xml version="1.0" encoding="UTF-8"?&gt;
  &lt;lint&gt;
      &lt;issue id="CredentialManagerSignInWithGoogle" severity="ignore" /&gt;
  &lt;/lint&gt;
  ```
  Instead of `ignore` you can also change the severity here, for
  example from `error` to `warning`. You can find additional
  documentation on how to filter issues by path, regular expression and
  so on
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).

* In Gradle projects, using the DSL syntax to configure lint. For
  example, you can use something like
  ```gradle
  lintOptions {
      disable 'CredentialManagerSignInWithGoogle'
  }
  ```
  In Android projects this should be nested inside an `android { }`
  block.

* For manual invocations of `lint`, using the `--ignore` flag:
  ```
  $ lint --ignore CredentialManagerSignInWithGoogle ...`
  ```

* Last, but not least, using baselines, as discussed
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>